Before we get started I have started a slack group dedicated to hacking. We welcome everyone from beginner to advanced to join. I will be on everyday answer questions, doing CTFs, and talking about cool hacks. If you enjoy hacking and are looking for like minded people join below:
NEW Hacking Group Slack Channel
With this rise of the cloud it makes since that there is cloud storage. Basically cloud storage is a place to store files without having to store them locally on your system.
You have probably heard of S3 buckets and how every one seems to be hacking these things. Basically there is a permission on S3 buckets that will allow anonymous users to list all files in the bucket. You can also do other things such as upload files depending on the permissions set. Im not here to write another S3 bucket blog their are plenty of those, we are hear to learn about google cloud storage the S3 bucket alternative.
Google cloud storage like Amazons S3 buckets is a place to store files. Like S3 buckets Google cloud storage is also vulnerable to anonymous file listing. The url for Google cloud storage endpoints looks like:
www.googleapis.com/storage/v1/b/<BUCKET NAME>o/
Now you just need some potential bucket names of your target. If the bucket name doesn't exists you will get a 404 code as shown in the below response:
{
"error": {
"code": 404,
"message": "Not Found",
"errors": [
{
"message": "Not Found",
"domain": "global",
"reason": "notFound"
}
]
}
}
If the bucket does exists you will a 401 code as shown in the below response:
{
"error": {
"code": 401,
"message": "Anonymous caller does not have storage.buckets.get access to facebook.",
"errors": [
{
"message": "Anonymous caller does not have storage.buckets.get access to facebook.",
"domain": "global",
"reason": "required",
"locationType": "header",
"location": "Authorization"
}
]
}
}
As you can see in the above response we get the following error message:
Anonymous caller does not have storage.buckets.get access
This means the endpoint isnt vulnerable because anonymous users cant access the bucket. By default buckets will be set to disallow anonymous users. This means that some one must make a mistake and change this setting for the vulnerability to be introduced.
If the bucket is vulnerable and has this misconfiguration you should see a list of files as shown in the below response:
{
"kind": "storage#objects",
"items": [
{
"kind": "storage#object",
"id": "<BUCKET_NAME>/000a1d72-316c-4966-b1f0-232578fe18d6-executive-summary/1480372714305000",
"selfLink": "https://www.googleapis.com/storage/v1/b/<BUCKET_NAME>/o/000a1d72-316c-4966-b1f0-232578fe18d6-executive-summary",
"name": "000a1d72-316c-4966-b1f0-232578fe18d6-executive-summary",
"bucket": "<BUCKET_NAME>",
"generation": "1480372714305000",
"metageneration": "1",
"contentType": "application/pdf",
"storageClass": "DURABLE_REDUCED_AVAILABILITY",
"size": "5005843",
"md5Hash": "7pqOAGvlnkEr2gfvVqvZKQ==",
"mediaLink": "https://www.googleapis.com/download/storage/v1/b/<BUCKET_NAME>/o/000a1d72-316c-4966-b1f0-232578fe18d6-executive-summary?generation=1480372714305000&alt=media",
"crc32c": "3wxk8w==",
"etag": "COjrlY7CzNACEAE=",
"timeCreated": "2016-11-28T22:38:34.290Z",
"updated": "2016-11-28T22:38:34.290Z",
"timeStorageClassUpdated": "2016-11-28T22:38:34.290Z"
},
{
"kind": "storage#object",
"id": "<BUCKET_NAME>/00462a01-e652-4781-8494-42c0379b3d44-comp-plan-progress-summary-april-2017/1493327003034000",
"selfLink": "https://www.googleapis.com/storage/v1/b/<BUCKET_NAME>/o/00462a01-e652-4781-8494-42c0379b3d44-comp-plan-progress-summary-april-2017",
"name": "00462a01-e652-4781-8494-42c0379b3d44-comp-plan-progress-summary-april-2017",
"bucket": "<BUCKET_NAME>d",
"generation": "1493327003034000",
"metageneration": "1",
"contentType": "application/pdf",
"storageClass": "DURABLE_REDUCED_AVAILABILITY",
"size": "1787830",
"md5Hash": "ogMtmQAYlusgzS/LlQvq1Q==",
"mediaLink": "https://www.googleapis.com/download/storage/v1/b/<BUCKET_NAME>/o/00462a01-e652-4781-8494-42c0379b3d44-comp-plan-progress-summary-april-2017?generation=1493327003034000&alt=media",
"crc32c": "i85dTw==",
"etag": "CJDDsszExdMCEAE=",
"timeCreated": "2017-04-27T21:03:23.021Z",
"updated": "2017-04-27T21:03:23.021Z",
"timeStorageClassUpdated": "2017-04-27T21:03:23.021Z"
},
Each file in the exposed bucket can easily be download by visiting the value contained in the "mediaLink" parameter. Now you only have to find some sensitive files that shouldn't be exposed.
As you can see Google cloud storage shares the exact same vulnerabilities as S3 buckets they are just a little less talked about because Amazon completly owns the cloud services market, but that doesn't mean you wont find people using other services.
Everyone knows about the vulnerabilities in S3 buckets but no one ever talks about the other cloud providers. Google cloud storage shares the same vulnerabilities as S3 buckets, its just a little less known.